How to Build an Effective, Accurate ROPA for Your Business
We’re in a modern age of data privacy. Since the General Data Protection Regulation (GDPR) went into effect in May 2018, companies face a new reality when it comes to their responsibility toward individuals and their data.
With that comes an unprecedented emergence of privacy laws aimed at protecting data subjects and their personal and sensitive information — and more organizations are building privacy frameworks designed to comply with those laws.
Transparency — and why it’s important
One way we think of privacy in this new reality is in terms of transparency: How clear are organizations being about their data policies and processes — in the notices they provide to data subjects, their documentation on how they process data, and their reporting abilities.
Transparency into data practices and policies builds trust for organizations — and ensures and enables accountability. You can’t openly prove that you honor data subjects’ preferences if you can’t find and track their data throughout your organization — or remediate problems with sensitive information if you can’t discover where it went wrong.
Before GDPR, most companies lacked the motivation to build efficient and effective privacy programs. Without a push from regulators and the threat of penalties for violations, the need for accountability was low for privacy offices and organizations in general.
GDPR, Article 30, and ROPAs
Enter GDPR, which brought accountability into the foreground with Article 30.
Article 30 states that controllers and processors must maintain a Record of Processing Activities — commonly referred to as ROPAs. This means that controllers and processors must now be able to readily provide certain details on the data they collect. These details include:
- name and contact info
- categories of data subjects and the personal data they process
- categories of recipients to whom data will be disclosed
- third-party transfer information
- retention and destruction policies
- the purposes for data processing activities
- the technical and administrative security measures they have in place
That’s a lot of information — and different types of information, and companies must be prepared to supply these records to supervisory authorities upon request. Some authorities even recommend providing additional information.
The Information Commissioner’s Office (ICO) in the UK advises organizations to include records of consent, agreements with processors, data protection impact assessments, location of personal data, references to security incidents, and whether data was processed on a lawful basis — on top of the required ROPA list.
Keeping good records empowers organizations to not only provide authorities with the right information on how they protect their data, but also operationalize effective practices that continuously optimize their data privacy programs. The Belgium DPA argues that record-keeping is an important accountability instrument. “Organisations that do not know their data will find it much more difficult to comply with the GDPR.”
Without direct, accurate, and comprehensive data knowledge, reporting is haphazard, scattered, and cannot clearly demonstrate how an organization implements accountability practices.
Automating Your Data to Know Your Data
You may have heard the saying, “a journey of a thousand miles starts with a single step.” So, while the process of documenting the full lifecycle of your company’s data may seem overwhelming, taking meaningful steps toward knowing your data is a manageable place to start.
The ICO recommends effective data mapping as a first step in the process to “help ensure nothing is missed.” Organizations can build an accurate, efficient, and scalable data inventory with automated data discovery and classification that offers complete visibility into all of your data — personal and sensitive, across all types of data and all data sources.
BigID enables companies to build and continuously update an indexed inventory of all personal and sensitive information, integrating policies and business context while incorporating insight and perspective. This is particularly important so that organizations can explain not only the data they have, but the purpose behind their data’s collection and processing.
As more and more legal regulations emerge around organizations’ collection and use of data subjects’ information, privacy principles like transparency and accountability will become even more present. This means more requirements like maintaining RoPAs, submitting to audits, and making key metrics available to data subjects and regulators alike.
Accountability today means that businesses must have technical measures in place to prove their responsibility with consumer data. Through automated discovery, classification, and mapping, organizations can clearly establish a sound privacy program — and report on the what, how, and why behind the data they process.
Learn more about how BigID can help your company automate GDPR Article 30 record-keeping and build an accurate, effective ROPA.